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Abstract. We introduce a method for automated parameterized ver- 
ification of fault-tolerant distributed algorithms. The distributed algo- 
rithms we consider are parameterized by both the number of processes 
and the assumed maximum number of Byzantine faulty processes. At the 
center of our technique is a parametric interval abstraction (PIA) where 
the interval boundaries are arithmetic expressions over parameters. Us- 
ing PIA for both data abstraction and a new form of counter abstraction, 
we reduce the parameterized problem to finite-state model checking. We 
demonstrate the practical feasibility of our method by verifying several 
variants of the well-known distributed algorithm by Srikanth and Toueg. 
To the best of our knowledge, this is the first paper to achieve param- 
eterized automated verification of Byzantine fault-tolerant distributed 
algorithms. 



1 Introduction 

Fault-tolerant distributed algorithms (FTDA) constitute an important and ac- 
tive area of research with a rich body of results [2211] . The current paper is part of 
an interdisciplinary effort to develop a tool basis for the automated verification, 
and, in the long run, deployment of FTDAs [17119] . 

As discussed in [17119] . the verification of FTDA has to address two chal- 
lenges, (i) the formalization problem, i.e., the question how to move from a 
mathematically intricate, but usually quite informal description in pseudocode 
to an adequate formal model, and (ii) the verification problem, i.e., how to verify 
FTDA by an automated model checking based method. This paper is exclusively 
concerned with the verification problem. Based on a formal framework of control 
flow automata for FTDA developed in [T7] , we develop abstraction-based meth- 
ods for parameterized verification of FTDA, and demonstrate the feasibility of 
our approach for a family of FTDA after Srikanth and Toueg [27128] . 

Most previous research on parameterized model checking has focused on con- 
current systems with n+c processes where n is the parameter and c is a constant: 
n of these processes are identical copies; c processes represent the non-replicated 
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part of the system, e.g., cache directories, shared memory, dispatcher processes 
etc. [14I16I23T5] . Many approaches abstract the n processes to a finite system, 
e.g., counter abstraction [53], and environment abstraction [BJ. Note that most of 
the work on parameterized model checking considers only safety. Notable excep- 
tions are [18124] where several notions of fairness are considered in the context 
of abstraction to verify liveness. 

FTDAs differ from this standard setting in a crucial aspect — a certain num- 
ber t of the n processes can be faulty. In the case of e.g. Byzantine faults, this 
means that the faulty processes can send messages in an unrestricted manner. 
Importantly, the upper bound t for the faulty processes is also a parameter, and 
is essentially a fraction of n. The relationship between t and / is given by a re- 
silience condition, e.g. n > St. Thus, the verification has to consider all systems 
with n — f non-faulty and / faulty processes, where / < t and n > 3t. 

It is evident that an FTDA cannot wait for a specific process to send a 
message since the process can be faulty. Therefore, most FTDAs use counters 
to reason about their environment. If, for instance, a process receives a certain 
message m from more than t processes, it can conclude that one of the senders 
is non-faulty. A large class of FTDAs expresses these counting arguments using 
threshold guards: 

if received <m> from n-t distinct processes 
then action(m); 

The technical contribution of our paper is an abstraction method for param- 
eterized verification of FTDAs with resilience conditions and threshold guards. 
Our abstraction proceeds in two steps. Both of them are based on parametric 
interval abstraction (PI A), a generalization of interval abstraction where the in- 
terval borders arc parameters rather than constants. Using the PIA domain, we 
obtain a finite-state model checking problem in two steps: 

Step 1: PIA data abstraction. We evaluate the threshold guards over the 
parametric intervals. Thus, we abstract away unbounded variables and parame- 
ters from the process code. We obtain a parameterized system where the repli- 
cated processes are finite-state and independent of the parameters. 
Step 2: PIA counter abstraction. We use a new form of counter abstraction 
where the process counters are abstracted to PIA. Since Step 1 guarantees that 
we need only finitely many counters, PIA counter abstraction yields a finite-state 
system. 

We show the practicality of our approach by model checking safety and live- 
ness specifications of several variants of the distributed broadcasting algorithm 
by Srikanth and Toueg [28] . Note that our PIA abstractions allow us to soundly 
abstract fairness requirements. This is required by many FTDAs. 

Our experiments show the need for abstraction refinement to deal with spuri- 
ous counterexamples [5] . We had to deal with spurious behaviors that are due to 
parameterized abstraction and fairness. In addition to refinement of counter ab- 
straction by SMT solvers, we are also exploiting simple user-provided invariant 
candidates to refine the abstraction similar to the CMP method [23)30] . 
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Related work. Traditionally, correctness of FTDAs was shown by handwritten 
proofs [2211] . and, in some cases, by proof assistants |21I26I3I2"U] . Completely au- 
tomated approaches are usually not parameterized, e.g. |31l29j . Our work stands 
in the tradition of parameterized model checking for protocols [21141811212416] . 
i.e., distributed algorithms such as mutual exclusion, cache coherence etc. 

We are aware of a single model checking paper [13] which addresses FTDAs 
in a parameterized setting. It is based on regular model checking. In contrast 
to our results, (i) the processes in [13] cannot contain references to parameters, 
and therefore cannot express threshold guards, and (ii) their case study considers 
only a simple fault model (crash) with 17 faults and n as the sole parameter. 

An abstract domain similar to PI A was developed in [25]. It was used in 
the framework of abstract interpretation, and was developed as a generalization 
of the polyhedra domain. Starting from a similar domain, [25] is thus taking a 
direction that is substantially different from parameterized model checking. 

2 Parameterized Model for Distributed Algorithms 

We define the parameters, local variables of the processes, and shared variables 
referring to a single domain D that is totally ordered and has the operations 
addition and subtraction. In this paper we will assume that D = No- 

We start with some notation. Let Y be a finite set of variables ranging over 
D. We will denote by £>I Y I, the set of all |y|-tuples of variable values. In order 
to simplify notation, given s G _D' Y ', we use the expression s.y : to refer to the 
value of a variable y e Y in vector s. For two vectors of variable values s and s', 
by s =x s' we denote the case where for all x € X, s.x = s'.x holds. 

Process. The set of variables V is {sv}UAur\JlI: The variable sv is the status 
variable that ranges over a finite set SV of status values. The finite set A contains 
variables that range over the domain D. The variable sv and the variables from A 
are local variables. The finite set r contains the shared variables that range over 
D. The finite set 77 is a set of parameter variables that range over D, and the 
resilience condition RC is a predicate over T}' 77 '. In our example, 77 = {n, t, /}, 
and the resilience condition RC(n,t, f) is n > 3t A f <t A t > 0. Then, we 
denote the set of admissible parameters by Prc = {p 6 -D' 77 ' I RC(p)}. 

A process operates on states from the set S = SV x T?' 71 x Z?l r l x Z?! 77 ! . Each 
process starts its computation in an initial state from a set S° C S. A relation 
R C S x S defines transitions from one state to another, with the restriction 
that the values of parameters remain unchanged, i.e., for all (s, t) £ ii, s =n t. 
Then, a parameterized process skeleton is a tuple Sk = (5, 5°, R). 

We get a process instance by fixing the parameter values p € I?' 77 ': one can 
restrict the set of process states to 5| p = {s G S \ s =n p} as well as the set 
of transitions to R\ p — R D (S\ p x 5| p ). Then, a process instance is a process 
skeleton Sk| p = (S\ p , S°\ p , R\ p ) where p is constant. 

In analogy to software model checking where programs are translated into 
Kripke structures, we use control flow automata to represent distributed algo- 
rithms that contain threshold guards, and then show how they induce process 
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skeletons. In particular, we use control flow automata in a representation where 
transitions are in a form of single static assignment (SSA) |10) . 

Formally, a guarded control flow automaton (CFA) is an edge-labeled directed 
acyclic graph A = (Q, qi,qF, E) with a finite set Q of nodes, called the locations, 
an initial location qi £ Q, and a final location qp £ Q. A path from qi to qF is 
used to describe one step of a distributed algorithm. The edges have the form E C 
Q x guard x Q, where guard is defined as an expression of the following syntax: 



var : 
sval : 
param : 
lin_f orm ; 
threshold 
atomcond 



guard : 



= (name of a variable from A U r) 

= (an element of SV) 

= (name of a parameter variable from 77) 

= param | int | lin_form+ lin_form | lin_form — lin_form 

= lin_f orm 

= var < var + lin_f orm | threshold < var | 
var > var + lin_f orm | threshold > var | 
var = var + lin_f orm 

= sv = sval | sv =/= sval | atomcond | guard A guard 



Our threshold guarded commands can be expressed as combinations of thresh- 
old conditions via guard. 

For every path from qi to qp each variable appears at most once in the 
left-hand side of every assignment. Every variable x has several copies: x for 
the initial value, x' for the final one, and X\,x^ ■ ■ • for intermediate ones. As 
common in SSA |10j . when different copies of x meet in a state q, a </>- function 
selects the latest copy of x that arrived to q along the current computation path. 

Let us assume that SV, A, r, II, RC , and N are given. Given a CFA A, we 
now define the process skeleton Sk(A) = (S, S°,R) induced by A as follows. 

We assume that all variables that range over D are initialized to 0, and sv 
ranging over SV takes an initial value from a fixed subset of SV. Every CFA 
path from qj to qp assigns values to its variables based on the values of input 
variables. We call a mapping v from variable names to the values from the 
respective domains a valuation if every variable used in the guards of the path 
has a value assigned to it. 

A path p of CFA induces a conjuction of all the guards along it. We may thus 
write v \= p to denote that the valuation v satisfies the guards of the path p. We 
are now in the position to define the mapping between a CFA A and a process 
skeleton Sk(^4): If there is a path p and a valuation v with v \= p, then v defines 
a single transition (s,t) of a process skeleton Sk(A), where for each variable 
x € A Li r U 77 U {sv} it holds s.x — v(x) and t.x — v(x'). 



System Instances. For fixed admissible parameters p, a distributed system is 
modeled as an asynchronous parallel composition of identical processes Sk| p . The 
number of processes depends on the parameters. To formalize this, we define the 
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size of a system (the number of processes) using a function N : Prc N. For 
instance, when modeling only correct processes explicitly, n — f for N(n, t, f). 

Finally, given p G Prc, and a parameterized process skeleton Sk = (S, S°, R), 
a system instance lnst(p, Sk) = (Si, Sj, Rj, AP, Aj) is a Kripke structure defined 
as an asynchronous parallel composition of N(p) process instances, indexed by 
i G {1, . . . , iV(p)}, following standard interleaving semantics. Given a state a 
of lnst(p, Sk), we denote the state of process i by a[i]. (The formal definition is 
given in Appendix [C]) 

Remark 1. The set of global states Si and the transition relation Ri are pre- 
served under every transposition i o j of process indices i and j in {1, ... , iV(p)}. 
That is, every system lnst(p, Sk) is /WZ?/ symmetric by construction. 

Atomic Propositions. The set APgy contains propositions that capture compar- 
ison against a given status value Z £ SV, i.e., [Vz. siij = Z] and [3i. svi = Z\. 
Further, fairness conditions usually involve comparisons on variables ranging 
over D. Thus, we add a set of atomic propositions AP^ that capture compar- 
ison of variables x, y, and constant c that all range over D; APp consists of 
propositions of the form [3i. x, + c < yt] and [\/i. Xj + c > yi\ . We then define 
AP to be the disjoint union of KP sv and AP^. The labeling function A/ of a 
system instance lnst(p, Sk) maps a state a to expressions p from AP as follows 
(the existential case is defined accordingly using disjunctions): 

[Vi. svi =Z]e Xi(a) iff f\ (a[i].sv = Z) 

l<i<N(p) 

[Vi Xi + c > yi] G Aj(ct) iff y\ (<r[i].x + c > o-[i].j/) 

i<*<JV(p) 

Temporal Logic. We specify properties of distributed algorithms in formulas of 
temporal logic LTLx over AP.sk- We use the standard definitions of paths and 
LTLx semantics [4|. A formula of LTLx is defined inductively as: 

— a literal p or ->p, where p G APsv, or 

— F if, G if, ip U tjj, (p V ip, and if A iji, where ip and "0 arc LTLx formulas. 

Fairness. We are interested in verifying safety and liveness properties. The latter 
can be usually proven only in the presence of fairness constraints. The authors 
of [18124] paid special attention to verification of safety and liveness in systems 
with justice and compassion as fairness constraints. Similarly, in our paper we 
define fair paths of a system instance lnst(p, Sk) using a set of justice constraints 
J C APq. A path 7r of a system lnst(p, Sk) is J-fair iff for every p G J there 
are infinitely many states a G 7r with p G Aj(cr). By lnst(p, Sk) (=j if we denote 
that the formula if holds on all J-fair paths of lnst(p, Sk). 
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Fig. 1. Example CFA. 
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Fig. 2. Guarded CFA in SSA. 



Parameterized Model Checking Problem. Given: 

— a domain D, 

— a parameterized process skeleton Sk = So, R), 

— a resilience condition i?C (generating a set of admissible parameters Prc)j 

— justice requirements J, and an LTLx formula ip, 

check whether for all p e Prc it holds that lnst(p, Sk) |=j 



3 Case study: Byzantine Fault-tolerant Broadcast 



Figure[5]is the guarded control flow automaton of the core of the Byzantine fault- 
tolerant broadcasting algorithm by Srikanth and Toueg [35J . It is obtained from 
the formalization in [17] (which is provided in Figure [T]), using the SSA trans- 
formation algorithm from [10] , In our experiments we will consider additional 
three variants of this algorithm that differ in the threshold guards. The variants 
deal with different fault models and resilience conditions; the algorithms are: 
(Byz), which is the algorithm from the figure, for t Byzantine faults if n > 3t, 
(symm) for t symmetric (identical Byzantine [T]) faults if n > 2t, (omit) for t 
send omission faults if n > 2t, and (clean) for t clean crash faults if n > t. 
In this paper we verify the following safety and liveness specifications for the 
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algorithms: 



G ([Vi. svi £ VI] -»• G [Vj. ^ AC]) 
G ([Vi. s«i = VI] -> F [3j. sflj- = AC]) 
G (pi. svi = AC] -)• F [Vj. su,- = AC]) 



(U) 
(C) 
(R) 



In asynchronous distributed algorithms one assumes, e.g., communication 
fairness, i.e., every message sent is eventually received. To capture this, we use 
justice requirements, i.e., J = {[Vi. rcvdi > nsnt]}. 

After presenting our abstraction techniques in the following section, Section[5] 
discusses the experimental evaluation. 

4 Abstraction Scheme 

The input to our abstraction method is the infinite parameterized family J- = 
{lnst(p, Sk(A)) | p G Prc} of Kripke structures specified via a CFA A. The 
family T has two principal sources of unboundedness: unbounded variables in 
the process skeleton Sk(A), and the unbounded number of processes N(p). We 
deal with these two aspects separately, using two abstraction steps, namely the 
PI A data abstraction and the PIA counter abstraction. In both abstraction steps 
we use the parametric interval abstraction PIA that we introduce in Section [4. II 

4.1 Abstract Domain of Parametric Intervals (PIA) 

From the thresholds used in the guards of a CFA A from Section [3J we syntacti- 
cally extract a finite threshold set T that contains threshold functions i?$ : Prc — > 
D, for < i < |T|. Additionally, we assume that for all p £ Prc, #o(p) has to 
be 0, and and i?i(p) has to be 1. Let \x + 1 be the cardinality of the threshold 
set T . Then we define the domain of parametric intervals: 



Our abstraction rests on an implicit property of many fault-tolerant dis- 
tributed algorithms, namely, that the resilience condition RC induces an order 
on the thresholds used in the algorithm (e.g., t + 1 < n — t). Assuming such 
an order does not limit the application of our approach: In cases where only 
a partial order is induced by RC, one can simply enumerate all possible total 
orders. As parameters, and thus thresholds, are kept unchanged in a run, one 
can verify an algorithm for each threshold order separately, and then combine 
the results. We may thus restrict the threshold sets we consider by: 

Definition 1. The finite set T is uniformly ordered if for all p 6 Prc, an d a ^ 
#_y(p) and $fc(p) in T with < j < k < fj,, it holds that flj(p) < i?k(p). 



D = {lj\0<j< 11} 
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Definition [T] allows us to properly define the parameterized abstraction func- 
tion a p ; D D and the parameterized concretization function 7 p : D — > 2 D . 

Ij if x & [dj(p), i?j+i(p)[ for some < j < fi 
otherwise. 

ft(p),Vi(P)[ if J<M 
[i?^ (p) , oo [ otherwise. 

From $o(p) = and $i(p) = 1, it immediately follows that for all p G 
Prc, we have a p (0) = To, %>(1) = 1%, and 7 P (/o) = {0}. Moreover, from the 
definitions and Definition [T] one immediately obtains: 

Proposition 1. For all p itiPrc, and for alia inD, it holds that a 6 7 P (a p (a)). 

Definition 2. 4 < 4 iff k < £. 

The PIA domain has similarities to predicate abstraction because the interval 
borders are naturally expressed as predicates, and computations over PIA are 
directly reduced to SMT solvers. On the other hand, notions such as the order 
of Definition [2] are not naturally expressed in terms of predicate abstraction. 



a p (x) = 
7p&) = 



4.2 PIA data abstraction 

Our parameterized data abstraction is based on two abstraction ideas. First, the 
variables used in a process skeleton are unbounded and we have to map those 
unbounded variables to a fixed-size domain. If we fix parameters p € Prc, then 
an interval abstraction (3] is a natural solution to the problem of unboundedness. 
Second, we want to produce a single process skeleton that does not depend on 
parameters p E Prc and captures the behavior of all process instances. This 
can be done by using ideas from existential abstraction [7|11|18] and sound 
abstraction of fairness constraints [18]. Our contribution consists of combining 
these two ideas to arrive at parametric interval data abstraction. 

Our abstraction maps values of unbounded variables to parametric inter- 
vals Ij, whose boundaries are symbolic expressions over parameters. This ab- 
straction differs from interval abstraction [9| in that the interval bounds are not 
numeric. However, for every instance, the boundaries are constant because the 
parameters are fixed. We hence do not have to deal with symbolic ranges over 
variables in the sense of [25) . 

We now discuss an existential abstraction of a formula <P, whose syntax is 
captured by atomcond (we consider general formulas following the syntax of 
guard later). To this end we introduce notation for sets of vectors satisfying <P. 
According to Section G2 the formula <P has two kinds of free variables: parameter 
variables from 77 and data variables from AUT. Let x p be a vector of parameter 
variables {x\, . . . , x^ n ^) and x° be a vector of variables {x\, . . . over D k . 
Given a fc-dimensional vector d of values from D, by x p = p, x v = d \= $ we 
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denote that <P is satisfied on concrete values x\ = d\ , . . . , x\ = dk and parameter 
values p. We define \ \<I>\\e Q D k : 

= {d e D k |3p e P RC 3d = (di, . . . ,d k ) e D k . 

d = (a p (di), . . . , a p (d k )) A x p = p, x v = d \= <P} 

Hence, \\$\\e contains all vectors of abstract values that correspond to some 
concrete values satisfying <P. Note carefully, that parameters do not appear any- 
more due to existential quantifation. A PIA existential abstraction of <P is defined 
to be a formula over a vector of variables x — x\, . . . , x k over D k such that 
{deD k \x = d\=&}D\\4>\\ E - 

Computing PIA abstractions. The central property of our abstract domain 
is that it allows to abstract comparisons against thresholds in a precise way. That 
is, we can abstract formulas of the form x\ > #j(p) by x\ > Ij and x\ < «?j(p) 
by x\ < Ij. In fact, this abstraction is precise in the following sense. 

Proposition 2. For all p 6 Prc and all a G D it holds that: 

a > $?'(p) iff a p( a ) > Ij, an d a < $j(p) iff a p( a ) < Ij 

For all formulas that are not threshold guards we are going to use a general 
form (which is well-known from the literature), namely: 

i> E = \J x i = di A ■ ■ ■ A x k = d k 

(<ii,...,4)e||*||E 

Proposition 3. If <P is a formula over variables x\, . . . ,x k over D, then <Pe is 
a PIA existential abstraction. 

If the domain D is small (as it is in our case), then one can enumerate 
all vectors of abstract values in D k and check which of them belong to our 
abstraction H^Hb, using an SMT solver. 

Transforming CFA. We now describe a general method to abstract guard 
formulas, and thus construct an abstract process skeleton. To this end, we denote 
by ole a mapping from a concrete formula <I> to some existential abstraction of <S> 
(not necessarily constructed as above). By fixing «£,we can define an abstraction 
of a guard of a CFA: 

{(XE^g) if g is atomcond 

g if g is one of sv = sval, sv sval 

abst(gi) A abst(g2) otherwise, i.e., g is gi A gi 

By slightly abusing the notation, for a CFA A by abst(A) we denote the 
CFA that is obtained from A by replacing every guard g with abst(g). Note that 
abst(A) contains only guards over sv and over abstract variables over D. 
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Definition 3. We define a mapping hp at from valuations v of a CFA A to val- 
uations v of CFA abst(A) as follows: for each variable x over D, v.x = a p (v.x), 
and for each variable y over SV , v.y = v.y. 

The following theorem follows immediately from the definition of existential 
abstraction and abst(A): 

Theorem 1. For all p in Prc an d for all valuations v with v =jj p if v \= 
guard, then hp at (v) \= a6si(guard). 

For model checking purposes we have to reason about the Kripke struc- 
tures that are built using the skeletons obtained from CFAs. We denote by 
Sk a t, s (A), the process skeleton that is induced by CFA abst(A). Analogously to 
hp at , we define the parameterized abstraction mapping hp af that maps states 
from lnst(p, Sk(A)) to states from lnst(p, Sk a i, s (A)). After that, we obtain The- 
orem [5] from Theorem [1] and the construction of system instances. 

Definition 4. Let a be a state of lnst(p, Sk(A)), and a be a state of the abstract 
instance lnst(p, Sk a i, s (A)) . Then, a — hp at (o-) if for each variable y G ylU-TUTT, 
a.y = a p (a.y), and cr.sv — a.sv. 

Theorem 2. For all p £ Prc, and for all CFA A, if system instance lnst(p, Sk(A)) = 
(Si,S®,Ri,AP,\i) and system instance lnst(p 7 Sk a b s {A)) — (Sj,SpRj,AP,\j). 
then: 

if((T,a') e Ri, then {h d p at {o),h d p at {o')) G R r 

Theorem[2]is the first step to prove simulation. In order to actually do so, we 
now define the labeling function A^. For propositions from p G APgy, \j{<j) is 
defined in the same way as A/. Similarly to [T8] for propositions from p G AP^, 
which are used in justice constraints, we define: 

[3i. Xi + c < yi\ G A|(<t) iff Y a[i] \= a E ({x + c < y}) 

l<i<N(p) 

[Vi. Xi + c>yi] G Aj(a-) iff /\ a[i] \= a E ({x + c > y}) 

l<i<N(p) 

From Theorem [5J the definition of hp at with respect to the variable sv, and 
the definition of A^ one immediately obtains the following theorems. Theorem [4] 
ensures that justice constraints J in the abstract system lnst(p, Sk a i, s (A)) are a 
sound abstraction of justice constraints J in lnst(p, Sk(A)). 

Theorem 3. For all p G Prc, and for all CFA A, it holds lnst(p, Sk(A)) ^ 
lnst(p, Sk a }, s (A)), with respect to AP$v ■ 

Theorem 4. Let it — {(Ti}i>i be a J -fair path of lnst(p, Sk(A)) . Then tt = 
{/i^ at (cri)}j>i is a J -fair path of lnst(p, Sk abs (A)). 
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4.3 PIA counter abstraction 

In this section, we present a counter abstraction inspired by |24j which maps a 
system instance composed of identical finite state process skeletons to a single 
finite state system. We use the PIA domain D along with abstractions oe({i' = 
x + 1}) and c<e({x' = x — 1}) for the counters. 

Let us consider a process skeleton Sk = (S, S ,R), where S = SV x L>I A I x 
fj\ r \ x I)! 77 1 that is defined using an arbitrary finite domain D. (Note that we do 
not require that the skeleton is obtained from a CFA.) Our counter abstraction 
over the abstract domain D proceeds in two steps, where the first step is only a 
change in representation, but not an abstraction. 

Step 1: Vector addition state system (VASS). Let L = {£ e SV x i) |y11 | 3s e 
S- t —{sv}uA s } be the set of local states of a process skeleton. As the domain D 
and the set of local variables A are finite, L is finite. We write the elements of 
L as £i, . . . We define the counting function K: Si x L — > D such that 

K(a,£) is the number of processes i whose local state is £ in global state a, 
i.e., —{ sv }uA Thus, we represent the system state a G Si as a tuple 
(gi,,.,,gk,K[a-,£i],...,K[a,£i L i]), i.e., by the shared global state and by the 
counters for the local states. If a process moves from local state £j to local 
state £j, the counters of £i and £j will decrement and increment, respectively. 

Step 2: Abstraction of VASS. We will now abstract the counters K of the VASS 
representation using the PIA domain to obtain a finite state Kripke structure 
Cnt(Sk). To compute Cnt(Sk) = (Scnti ^Cnt' -^Cnt, AP, Ac n t) we proceed as follows: 
A state w S Sent is given by values of shared variables from the set r, ranging 
over I)l r l, and by a vector (fc[li], . . . , over the abstract domain D from 

Section EHJ More concisely, Sent = -D' L ' x -D' r| - 

Definition 5. The parameterized abstraction mapping maps a global state a 
of the system lnst(p, Sk) to a state w of the abstraction Cnt(Sk) such that: 
For all £ £ L it holds that w.n[£] = a p (K[a,£]), and w =r o~. 

From the definition one can see how to construct the initial states. Informally, 
we require (1) that the initial shared states of Cnt(Sk) correspond to initial shared 
states of Sk, (2) that there are actually N(p) processes in the system, and (3) 
that initially all processes are in an initial state. 

The intuitional for the construction of the transition relation is as follows: 
Like in VASS, a step that brings a process from local state £i to £j can be 
modeled by decrementing the (non-zero) counter of £i and incrementing the 
counter of £j. Like Pnueli, Xu, and Zuck [21] we use the idea of representing 
counters in an abstract domain, and performing increment and decrement using 
existential abstraction. They used a three- valued domain representing 0, 1, or 
more processes. As we are interested, e.g., in the fact whether at least t + 1 or 
n — t processes are in a certain state, the domain from [53] is too coarse for us. 

1 A formal definition of the transition relation is given in Appendix [Al 



11 



Therefore, we use counters from D, and we increment and decrement counters 
using the formulas ci£({i' = x + 1}) and qu({i' = x — 1}). 

Theorem 5. For all p 6 Prc, and all finite state process skeletons Sk, let sys- 
tem instance lnst(p, Sk) = (Si, Sj, Ri, AP, Aj), and Cnt(Sk) — (Sent, S^ nt , Rent, AP, Xcnt)- 
Then: 

if{o,o') £ Rj, then (h p nt (a), h p nt (<j')) £ R C nt- 

To prove simulation, we now define the labeling function Ac n t- Here we con- 
sider propositions from AP/j U AP$v in the form of [3i. and [Vi. 
Formula <P(i) is defined over variables from the |7T|-dimensional vector x p of pa- 
rameters, a /c-dimensional vector x l of local variables and sv, an m-dimensional 
vector of global variables x 9 . Then, the labeling function is defined by 

[3i. #(*)] G AcntH iff \J (x e = £,x 9 = r w^ abst(<P{i)) A w.k[£] / / ) 

|Vi. e Acnt(w) iff /\ = ^, a; 9 = r u> |= abst($(i)) V w.fc[<?] = 7 ) 

Theorem 6. For all p £ ~Prc> an d f or a ^ finite state process skeletons Sk, 
lnst(p,Sk) ^ Cnt(Sk), with respect to APgv- 

Theorem 7. Let ir = {ci}i>i be a J-fair path of lnst(p, Sk a b s (A)) . Then tx = 
{h p nt (cTi)}i>i is a J-fair path of Cnt. 

From Theorems [31 [HEl and[7]we obtain the following central corollary in the 
form necessary for our parameterized model checking problem. 

Corollary 1 (Soundness of data &: counter abstraction). For all CPA A, 

and for all formulas tp from LTLx over APgv and justice constraints J C APjj: 
if Cnt(Sk a i, s (A)) \=j ip, then for all p 6 Prc it holds lnst(p, Sk(A)) \=j (p. 

4.4 Abstraction Refinement of Parameterized Systems 

Due to parametric existential abstraction we have to deal with spurious behavior. 
(A detailed explanation on our techniques for refinement is given in AppendixlBl) 
The first one is caused by spurious transitions. Consider a transition r of 
Cnt(Sk a ft s (j4)). We say that the transition r is spurious w.r.t. p G Prc, if there 
is no transition in lnst(p, Sk(vl)) that is a concretization of r. This situation can 
be detected by known techniques [5] for a fixed p. However, it is unsound to 
remove r from Cnt(Sk a bs(A)), unless t is spurious w.r.t. all p £ Prc- We call 
transitions that are spurious w.r.t. all admissible parameters uniformly spurious. 
Detecting such transitions is a challenge and to the best of our knowledge, this 
problem has not been investigated before. To detect such transitions we use one 
more intermediate abstraction in the form of VASS that abstracts local variables 
as in Section 1431 and keeps concrete shared variables and process counters. 
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No. 


System 


Prop 


Valid 


Spin 


Spin 




Spin 




Spin 


Spin 


Ref-t 


Total 










Time 


Memory 


States 


Trans 


Depth 


Steps 


Time 


1 


BYZ 


(U) 


/ 


2.14 sec. 


84 MB 


509 


■ 10 d 


1262 


• 10 d 


9929 





2 sec. 


2 


BYZ 


(C) 


/ 


4.03 sec. 


114 MB 


1264 


■ 10 3 


1937 


■ 10 3 


30607 


18 


60 sec. 


3 


BYZ 


(R) 


/ 


8.79 sec. 


133 MB 


1993 


■ 10 d 


4412 


■ 10 3 


23812 


13 


31 sec. 


4 


SYMM 


(U) 


/ 


0.07 sec. 


68 MB 


19 


■ 10 y 


40 


■ 10 3 


1054 





1 sec. 


5 


SYMM 


(C) 


/ 


0.06 sec. 


68 MB 


18 


■ 10 3 


36 


■ 10 3 


1274 


2 


3 sec. 


6 


SYMM 


(R) 


/ 


3.51 sec. 


75 MB 


260 


■ 10 3 


2243 


■ 10 3 


5691 


8 


280 sec. 


7 


OMIT 


(U) 


/ 


0.01 sec. 


68 MB 


4 


■ 10 y 


8 


■ 10 3 


547 





2 sec. 


8 


OMIT 


(C) 


/ 


0.02 sec. 


68 MB 


5 


■ 10 3 


12 


■ 10 3 


547 





1 sec. 


9 


OMIT 


(R) 


/ 


0.03 sec. 


68 MB 


6 


■ 10 3 


17 


■ 10 3 


677 





1 sec. 


10 


CLEAN 


(U) 


/ 


0.03 sec. 


68 MB 


14 


■ 10 y 


26 


■ 10 3 


858 





1 sec. 


11 


CLEAN 


(C) 


/ 


0.04 sec. 


68 MB 


14 


■ 10 3 


27 


■ 10 3 


858 





1 sec. 


12 


CLEAN 


(R) 


/ 


0.08 sec. 


68 MB 


21 


■ 10 d 


54 


■ 10 3 


882 





1 sec. 



Table 1. Experimental data on abstraction of algorithms tolerant to faults: Byzantine, 
symmetric, omission, clean crashes. Run on a 3.3GHz Intel® Core™ 4GB machine. 



Independently of uniformly spurious transitions, parametric abstraction leads 
to the second, interesting problem. Consider transitions t\ and T2 of Cnt(Sk a (, 5 (A)) 
that are not spurious w.r.t. pi and P2 in Prc, respectively, for pi ^ p2. There is 
a possibility that a path 71,75 is in Cnt(Sk a f, s (A)) and there is no p3 G Prc such 
that Ti, T2 is a path in Inst(p3, Sk(A)), i.e., the path t\, T2 is uniformly spurious. 
We detect such spurious behavior by user-provided invariant candidates. 

As observed by [24], counter abstraction may lead to justice suppression. 
Given a counter-example in the form of a lasso, we detect, whether its loop 
contains only unjust states. If this is the case, we refine Cnt(Sk a f, s (A)) by adding a 
justice requirement, which is consistent with existing requirements in all concrete 
instances lnst(p, Sk(A)). This refinement is similar to an idea from [24] . 

5 Experimental Evaluation 

We have implemented the PIA abstractions and the refinement loop in OCaml as 
a prototype tool ByMC. We evaluated it on the algorithms and the specifications 
discussed in Section [3] 

We extended the Promela language [TS] with a few constructs to express 
77, AP, RC 7 and N. ByMC receives a description of a CFA A in this ex- 
tended Promela, and then syntactically extracts the thresholds. Their uni- 
form order (Definition [T]) is checked using the Yices SMT solver. Further, static 
analysis partitions the variables into r, A, sv, and scratch variables. Then, the 
expressions of the CFA A are analyzed, and using Yices, the existential abstrac- 
tions are computed. Based on this, our tool ByMC translates A into VASS 
encoding, which in turn it then translates into a standard Promela encoding of 
the counter abstraction Cnt(A). Finally, ByMC also implements the refinements 
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No. 


System 


RC Prop 


Valid 


Spin 


Spin 




Spin 




Spin 


Spin 


Ref-t 


Total 












Time 


Memory 


States 


Trans 


Depth 


Steps 


Time 


1 


BYZ 


(a) 


(U) 


X 


4.41 


sec. 


99 MB 


1022 


■ 10 3 


2056 


■ 10 d 


20176 


9 


49 


2 


BYZ 


(a) 


(C) 


X 


2.2 


sec. 


83 MB 


494 


■ 10 3 


1125 


• 10 3 


14461 


4 


20 


3 


BYZ 


(a) 


(R) 


X 


0.37 


sec. 


70 MB 


81 


• 10 a 


184 


■ 10 3 


7126 


13 


25 


4 


BYZ 


(b) 


(U) 


/ 


2.91 


sec. 


89 MB 


654 


• 10 3 


1689 


■ 10 3 


9930 





4 


5 


BYZ 


(b) 


(C) 


/ 


4.72 


sec. 


105 MB 


1172 


• 10 3 


2157 


• 10 3 


23706 


12 


50 


6 


BYZ 


(b) 


(R) 


X 


1.74 


sec. 


85 MB 


575 


• 10 3 


990 


■ 10 3 


13131 


33 


76 


7 


SYMM 


(a) 


(U) 


X 


0.07 


sec. 


68 MB 


18 


• 10 3 


40 


• 10 3 


1097 





1 


8 


SYMM 


(a) 


(C) 


X 


0.08 


sec. 


68 MB 


21 


• 10 y 


42 


■ 10 3 


1325 


2 


3 


9 


SYMM 


(a) 


(R) 


/ 


3.08 


sec. 


73 MB 


185 


• 10 3 


1793 


• 10 d 


5294 


7 


280 


10 


OMIT 


(c) 


(U) 


/ 


0.02 


sec. 


68 MB 


4 


■ 10 3 


14 


• 10 3 


526 





2 


11 


OMIT 


(c) 


(C) 


X 


0.03 


sec. 


68 MB 


4 


• 10 3 


16 


■ 10 a 


526 





2 


12 


OMIT 


(c) 


(R) 


X 


0.01 


sec. 


68 MB 


0.068 


■ 10 3 


0.086 


■ 10 3 


394 





3 



Table 2. Experimental data on abstraction of fault-tolerant algorithms with incorrect 
resilience conditions (RC): (a) / < t + 1; (b) n > 3t; (c) n > 2t. 



introduced in Section B~4"l and refines the Promela code for Cnt(A) by introducing 
predicates capturing spurious transitions and unjust states. 

Table [T] summarizes the experiments where we used resilience conditions as 
provided from the literature. "Ref-t Steps" is the number of refinement steps. 
In the cases where it is greater than zero, refinement was necessary, and "Spin 
Time" refers to the Spin running time after the last refinement step. 

In Table[2]we used different resilience conditions under which we expected the 
algorithms to fail. The cases (a) capture the case where more faults occur than 
expected by the algorithm designer, while the cases (b) and (c) capture the cases 
where the algorithms were designed by assuming wrong resilience conditions. We 
omit (clean) in Table [2] as the only sensible case n — f (all processes are faulty) 
results into a trivial abstract domain of one interval [0, oo). 

6 Conclusions 

We presented a novel technique to model check fault-tolerant distributed algo- 
rithms. To this end, we extended the standard setting of parameterized model 
checking to processes which use threshold guards, and are parameterized with a 
resilience condition. As a case study we have chosen the core of the broadcast- 
ing algorithms [28] under different failure models. These algorithms are widely 
applied in the literature: typically, multiple (possibly an unbounded number of) 
instances are used in combination. As future work, we plan to use compositional 
model checking techniques |23| for parameterized verification of such algorithms. 
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APPENDIX 



A Details of the counter abstraction 

Initial states. Let Lq be a set {£ | £ e L A 3sq s So- ^ ={sti}u/i s o}; it captures 
initial local states. Then wq £ S° nt if and only the following conditions are met: 

3pePjjc3*i"-3*|£|. XI fc i =iV (p) A Vt:l<t<|i|.ap(fci)=iDo.«[^] 

i<»<|i| 

Vi : 1 < i < \L\. (£i $ L ) -> (ifl<,.K[4] = J ) 
3s £ So. w =r s 

Less formally: Concrete counter values are mapped to wo-k^] using a p ; We 
consider only combinations of counters that give a system size N(p); Every 
counter K,[£i] is initialized to zero, if the local state £i is met in no initial state 
so £ So; * shared variable g of wq may be initialized to a value v only if there is 
some initial state sq € So with s^.g = v. 

Transition relation. We now formalize the transition relation i?cnt of Cnt(Sk). 
The formal definition of when for two states w and w' of the counter abstraction 
it holds that (w,w') € i?cnt is given below in (fT|) to (|TU|) . We will discuss each of 
these formulas separately. We start from the transition relation R of the process 
skeleton Sk from which we abstract. Recall that (s, s') € R means that a process 
can go from s to s' . From © and ([S]) we get that, from is the local state of s, 
and to is the local state of s' . 

In the abstraction, if from ^ TO, a step from s to s' is represented by 
increasing the counter at index TO by 1 and decreasing the one at from by 
1. Otherwise, that is, if FROM = TO, the counter of from should not change. 
Here "increase" and "decrease" is performed using the corresponding functions 
over the abstract domain D, and the mentioned updates of the counters are 
enforced in ©, and (J7J. Further, the counters of all local states different 
from from and TO should not change, which we achieved by (|TU)) . Performing 
such a transition should only be possible if there is actually a process in state s, 
which means in the abstraction that the corresponding counter is greater than 
Iq. We enforce this restriction by ©. 

By the above, we abstract the transition with respect to local states. However, 
s and s' also contain the shared variables. We have to make sure that the shared 
variables are updated in the abstraction in the same way they are updated in 
the concrete system, which is achieved in ((4]) and (J6j) . 

We thus arrive at the formal definition of the abstract transition relation: 
i?Cnt consists of all pairs (w, w') for which there exist s and s' in 5, and from 
and TO in L such that equations ([Tjl— (|10|l hold: 

(s, s') E R (1) FROM = {sv}uA S (3) TO = {SV}U A s' (5) 

w.k[from] ^ J (2) w = r s (4) w' = r s' (6) 
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(to = from) -4 it/. k [from] = w.k[from] (7) 

(to ^ from) -> (x = w.k[to],i' = w'.k[to] \= «b({x' = x + 1})) (8) 

(to ^ from) ->• (x = w.k[from],x' = w'.k[from] |= c(e{{x' — x — 1})) (9) 

Vi : 1 < i < ^ from A/, / to) 1//.K&] = «;./c[^] (10) 

B Abstraction Refinement in Parameterized Setting 

In Section 14.41 we gave a high-level description of parameterized abstraction 
refinement. In the following we provide a more detailed discussion. 

We give a general framework for a sound refinement of Cnt(Sk i, s (.A)) in 
Section IB. 11 and then introduce techniques that allow us to do refinement in 
practice in Sections IB.2I and IB. 31 

B.l Refinement Framework for Parameterized Systems 

To simplify presentation, we define a monster system as a (possibly infinite) 
Kripke structure Sys w = (S u , S®, R u , AP, whose state space and transition 
relation are disjoint unions of state spaces and transition relations of system 
instances lnst(p, Sk(A)) = (S p , S®, R p , AP, A p ) over all admissible parameters: 

Sui — S p , — (^J S p , R u = (^J R p 

pePflc peP«c p£Pnc 

A w : S u -> 2 AP and for all p e Prc, s £ S p it holds A w (s) = A p (s) 

Using abstraction mappings h p and h p nt we define an abstraction map- 
ping h dc : S u ->• 5 Cnt from Sys w to Cnt(Sk o6s (A)): If a € S p , then h dc (a) = 
h c p nt (h dat (a)). 

Definition 6. A sequence T — {<7i},>i is a concretization of path T = {uii}i>i 
from Cnt(Sk a i, s (A)) if and only if u\ £ S® and for alli>l it holds h dc (o~i) — Wi. 

Definition 7. A path T of Cnt(Sk a i, s (A)) is a spurious path iff every concretiza- 
tion T of T is not a path in Sys^ . 

While for finite state systems there are methods to detect, whether a path 
is spurious [5], we are not aware of a method to detect, whether a path T 
in Cnt(Sk a 6 S (A)) corresponds to a path in the (concrete) infinite monster sys- 
tem Sys u . Therefore, we limit ourselves to detecting and refining uniformly spu- 
rious transitions and unjust states. 

Definition 8. An abstract transition (w,w') £ Rent is uniformly spurious iff 
there is no transition (cr, cr') £ R u with w = h dc (a) and w' = h dc (a'). 
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Definition 9. An abstract state w G Sent is unjust under q E APo iff there is 
no concrete state a G with w = h dc (a) and q G 

We give a general criterion that ensures soundness of abstraction, when re- 
moving uniformly spurious transitions. In other words, removing a transition 
does not affect the property of transition preservation. 

Theorem 8. Let T G Rc n t be a set of spurious transitions. Then for every 
transition (a, a') G R u there is a transition (h dc {a),h dc {a')) in R Cn t\T. 

Proof. Assume that there is transition (a, a') G with w — h dc (a), w' = 
h dc (o-'), and (w,w') G i?cnt H T. As T is a set of uniformly spurious transitions, 
we have that the transition (w, w') is uniformly spurious. Consider a pair of states 
p,p' G Su: with the property h dc (p) = w and h dc (p') = w' . From Definition [5] 
it follows that (p,p') $ Ru- This contradicts the assumption (a, a') G Ru, as we 
can take p = a and p' — a' . □ 

From the theorem it follows that the system Cnt re / = (Sent, <Sc nt , -Rent \ 
T, AP, Acnt) still simulates Sys w . 

After the criterion of removing individual transitions, we now consider infi- 
nite counterexamples of Cnt(Sk a 6 S (A)), which have a form of lassos. For such a 
counterexample T we denote the set of states in the lasso's loop by U. We then 
check, whether all states of U are unjust under some justice constraint q G J. If 
this is the case, T is a spurious counterexample, because the justice constraint 
q is violated. Note that it is sound to only consider infinite paths, where states 
outside of U appear infinitely often; in fact, this is a justice requirement. To 
refine Cnt's unjust behavior we add a corresponding justice requirement. For- 
mally, we augment J (and APo) with a prepositional symbol [off U\. Further, 
we augment the labelling function Acnt such that every w G <Sc n t is labelled with 
[off U] if and only if w G U. 

Theorem 9. Let J C APr> be a set of justice requirements, q G J , and U C Sent 
be a set of unjust states under q. Let 7r = {<7i}i>i be an arbitrary fair path of 
Sys w under J. The path tt — {h dc (o~i)}i>i is a fair path in Cnt(Sk a b s (A)) under 
{a A (p)\ P eJ}U{[offU}}. 

Proof. Consider an arbitrary fair path n = {(7i}i>i of Sys^ under J. Assume 
that 7T = {h dc (ai)}i>i is fair under J, but it becomes unfair under JLi{[off U]}. 

If 7T is unfair under {[off U}}, then n does not have infinitely many states 
labelled with [off U]. Thus, tt must have an infinite suffix suf(ir), where each 
w G suf(n) has the property [off U] Ac n t- From the definition of [off U] we 
immediately conclude that every state w G suf(%) belongs to U, i.e., w is unjust 
under q G J. 

Using the suffix suf(w) we reconstruct a corresponding suffix suf(ir) of ir (by 
skipping the prefix of the same length as in tt). From the fact that every state 
of suf(jf) is unjust under q we know that every state a G suf(ir) violates the 
constraint q as well, namely, q g' \ u (cr). Thus, 7r has at most finitely many states 
labelled with q G J. It immediately follows from the definition of fairness that w 
is not fair under J. This contradicts the assumption of the theorem. □ 
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From the last theorem we derive the criterion that loops containing only 
unjust states can be eliminated, and thus Cnt(Sk Q f, s (yl)) be refined. 

B.2 Detecting Spurious Transitions and Unjust States 

In this section we show symbolic techniques to detect spurious transitions and 
unfair states for our specific PIA abstractions. We are concerned with symbolic 
representations that can be encoded as a formula of an SMT solver. While there 
are systems where one can encode the monster system Sys w (Section IB.1[) in 
an SMT solver [18124) . it is not obvious how to do this for threshold-based 
distributed algorithms, which have a parameterized local state space. 

Our method consists of using a model for refinement that abstracts only local 
state space, but is finer than {lnst(p, Sk a ), s (A))} p£ p RC . Thus, we introduce a 
family {lnst(p, Sk J 4(A))} pe p J?c , where Sk,i(^4) is a skeleton obtained by applying 
a data abstraction similar to Section 14.21 but shared variables _T preserve their 
concrete values. Because guards operate on variables both in the abstract and 
concrete domain, we have to define a finer abstraction of guards. 

We need some additional notation. Let linJorm^) be the threshold ex- 
pression of CFA that induces the threshold function dj for < j < //. Then we 
construct a formula in(y, I a ) expressing that a variable y lies within the interval 
captured by I a . (Note that parameter variables are free in the formula.) 

in(y,I a ) = {la = Ifi A (linJ orm(0 a ) < y)) 

V {I a ¥= In A (lin_form(tf a ) < y < lin.f orm(tf a+1 ))) 

The abstraction of CFA guards is done as follows: 

if g is x < y + f3 or x > y + [3 
and x G A, y G r 
and /? is a lin_f orm 
if g is a guard over x, y G T 
if g is 5i A g 2 
otherwise 

Similarly to Section 14.21 we construct a CFA abstA {A) and then use a pro- 
cess skeleton Skyi(A) induced by abstjy(A). For every parameter values p G 
Prc one can construct an instance lnst(p, SU.a{A)) using Skyi(A). We are go- 
ing to show that this abstraction is coarser than lnst(p, Sk(A)) and finer than 
lnst(p, Sk a bs{A)) due to: 

Proposition 4 (abstractions hierarchy). Sk(A) ^ SI<a(A) ^ Sk a t, s (A). 

Now we encode the whole family {lnst(p, Sk y i(A))} pe p JiC using the VASS 
representation introduced in Section 14.31 A global state of the system VASSa is 
represented by a vector of parameter values, a vector of shared variable values, 



abstA{g) = < 



V x = I a A in(y, I b ) 

(iaJ b )e\\g\\E 

9 

abst A {gi) A abst A {g2) 
as (5) 
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and a vector of process counters: (p, g, K), where p G Prc, 9 G > K G Nq . 
Moreover, N{p) = Ei<i<|i| K i 

One can define a formula Init(p, g, K) that captures the initial states (p, g, K) 
similarly to the initial states of Cnt(Sk j a (A)). 

VASSyi makes a step from a global state (p, g, K) to a global state (p', g' , K') 
when: 

p' = p; 

— there is a step (s, s') 6 -R of the skeleton Skyi(A), where a process moves 
from the local state from —a s to the local state to =a s'; 

— at least one process stays in from, i.e. K FROM > 0; 

— the counters are updated as K' FROM = K' FROM — 1 and K' TO = K' T0 + 1; 

— other counters do not change values, i.e. Vi : 1 < i < \L\. (i / from hi ^ 
to) ^K\ = K % . 

We can encode these constraints by a symbolic formula Step(p, g, K, p', g', K'). 
The function ^VASS^ l a t>els states with justice constraints similar to the 
equations that define Acnt in Section [4731 We omit the formal definition here. 

Proposition 5. The system VASSa simulates the system Sys u . 

Proposition [S] allows us to use the following strategy. We take a transition 
r of Cnt(Sk a 6 S (A)) and try to replay it in VASS/i. If r is not reproducible in 
VASSa, due to Proposition [8l r is a spurious transition in Sys^ and it can be 
removed. The following theorem provides us with a condition to check if r can 
be replayed in VASSyi: 

Theorem 10. Let (w, w') G Rent be a transition of Cnt(Sk a b s (A)). If there exists 
a transition (cr, a') G R u such thatw = h dc (o~) andw' = h dc (o~'), then there exists 
a transition Step(p, g, K, p, g' , K') of VASSa satisfying the following condition: 

f\ (in(Ki,w.K[i]) /\in(K' i ,w'.K[i])) A f\ (in(gi,w.gj) Ain(g'j,w' .gj)) 
i<i<\L\ i<j<\r\ 

In other words, if the formula from Theorem llll is unsatisfiable, the transition 
(id, w') can be removed safely. 

Further, we check whether an abstract state w G Sent i s an unjust one. If it is, 
then Theorem [TOl allows us to refine justice constraints. The following theorem 
provides us with a condition that a state is unjust in VASS/i: 

Theorem 11. Let w G Sent be a state of Cnt(Sk a f, s (A)) and q G APq be a 

proposition expressing a justice constraint. If there exists a state a G S u such 
that w = h dc (a) and q G A a) (cr), then there exists a state (p,g,K) of VASSa 
satisfying the following condition: 

1 e X VASS A ((P'9,K)) A f\ in(Ki,w.K,[i]) A f\ in(gi,w.gj) 

i<j:<|l| i<j<\r\ 
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In other words, if the formula from Theorem II II is unsatisfiable, there is no 
state a £ with q G X u (a) abstracted to w. Thus, w is unjust. 

Remark 2. The system VASSa and the constraints of Theorems [10] and [TT] can 
be encoded in an SMT solver. By checking satisfiability we detect spurious tran- 
sitions and unjust states. Moreover, unsatisfiable cores allow us to prune several 
spurious transitions and unjust states at once. 

B. 3 Invariant Candidates Provided by the User 

In the transition-based approach of the previous section we cannot detect paths 
of being spurious in the case they do not contain uniformly spurious transitions 
(cf. beginning of Section[B|). In this case a human guidance might help: An expert 
gives an invariant candidate. Assuming the invariant candidate is expressed as as 
a formula Inv over a global state (p, g, K) of VASS/i, the invariant candidate can 
be automatically proven to indeed being an invariant by verifying satisfiability 
of the formulas: 

Init(p, g, K) ->Inv(p, g, K) (11) 
Jtw( P> g, K) A Step(p, g, K, p, g\ K') -Unvfa, g', K') (12) 

Then a transition (w,w') G i?cnt is spurious if the following formula is not 
satisfiable: 

Inv(p, g, K) A Step(p, g, K, p, g' , K') A Inv(p, g' , K') A 

f\ (in(Ki, w.n[i\) A in(K'^ w'.k[i\)) A f\ (in(gi,w.gj) Ain(gpw' ' .g^)) 
i<i<\L\ i<j<\r\ 

If we receive a counterexample T that cannot be refined with the techniques 
from the previous section, we test each transition of T against the above formula. 
If the formula is unsatisfiable for a transition (w, w') G T, it is sound to remove it 
from Cnt(Sk a 6 S (A)) due to Theorem[8l Equations [TT] [T2l and the formula above. 

Example 1. To give an impression, how simple an invariant can be, for our case 
study (cf. Section [5]) the relay specification required us to introduce the following 
invariant candidate: If L s — {£ G L i.sv — SE V £.sv = AC}, then the following 
formula is an invariant nsnt = ^2 eeL Kg. Intuitively, it captures the obvious 
property that the number of messages sent is equal to the number of processes 
that have sent a message. This property was, however, lost in the course of 
abstraction. 

C Detailed Proofs 

C. l Additional Definitions. 

Parallel Composition. Given p G Prc, and a parameterized process skeleton 
Sk = (S, S°, R),we can define a system instance. Let AP be a set of atomic propo- 
sitions. A system instance lnst(p, Sk) is a Kripke structure (Si, Sj, Ri, AP, A/) 
where: 
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- The set of (global) states is 5/ = {(<r[l], . . . , a[N(p)}) G (Slp)^ | Vi,j G 
{1, . . . , A(p)}, <r[i] =run More informally, a global state er is a Carte- 
sian product of the state o~[i] of each process i, where the values of parameters 
and shared variables are the same at each process. 

- SO = (SO)iV(p) n Sl is the set of initml (gio^i) stateSj where (£0)iV(p) j s the 

Cartesian product of initial states of individual processes. 

— A transition (a, a') from a global state a G Si to a global state er' G 5/ 
belongs to Rj iff there is an index i, 1 < i < N(p), such that: 

(move). The z-th process moves: (a[i],a'[i\) G R\ p . 

(frame). The values of the local variables of the other processes are pre- 
served: for every process index j ^ i, 1 < j < N(p), it holds that 
o-[j] ={ sv }uA cr'[j}. 

— Xi : Sj — >• 2 AP is a state labeling function. 

Simulation. In order to compare the behavior of system instances we use the 
notion of simulation. Given two Kripke structures Mi = (Si, S® , Ri, AP, Ai) and 
Mi = (S*2, i?2, AP, A2), a relation C Si x S 2 is a simulation relation with 
respect to a set of atomic propositions AP' C AP iff for every pair of states 
(si,S2) € the following conditions hold: 

- A 1 (s 1 )nAP' = A 2 (s 2 )nAP' 

— for every state t\, with (si,ti) G there is a state £2 with the property 
(s 2 ,h) G i? 2 and (ti, i 2 ) G if. 

If there is a simulation relation H on Mi and M 2 such that, for every initial 
state si G Si there is an initial state s° £ ^2 with the property (s^s^) G H, 
then we write Mi < M2. In this case we say Mi is simulated by M2. 

C.2 The Proofs. 

Proposition [2j For all p G Prc and all a G D it holds that: 

a > ^j(p) iff ' a p (a) > Ij, and a < l?j(p) iff a p (a) < Ij 



Proof. Fix an arbitrary p G Prc- 

Case a > i9j(p). (=>) Fix an arbitrary a G D satisfying a > i?j(p)- Let k be a 
maximum number such that a > i9fe (p) . Then a p (a) = By Definition of a p we 
have k > j and thus, by Definition [3J > /j. It immediately gives a p (a) > Ij. 

(<=) Let a G D be a value satisfying a p (a) > Ij. There is fc such that 
a p( a ) — ffc an d a > ^fc(p). From a p (a) > Ij it follows that Ik > and, 
by Definition [2] k > j. Then by Definition Q] we have J?fe(p) > ^j(p) an d by 
transivity a > $j(p). 
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Case a < $j(p). (=$■) Fix an arbitrary a G D satisfying a < fij(p). Let k be a 
maximum number such that a > ^(p). Then a p (a) — Ik- 

Consider the case when k > j. By Definition [2] it implies Ik > Ij- It immedi- 
ately gives a p (a) > Ij, which contradicts the assumption a < $j(p). Thus, the 
only case is k < j. 

By Definition [3J k < j implies Ik < Ij- As we excluded the case k = j we 
have Ik < Ij, Ik 7^ Ij or, equivalently, a p (a) — Ik < Ij. 

(<=) Let a G D be a value satisfying a p (a) < /j or, equivalently, a p (a) < Ij 
and a p (a) ^ Ij. There exists k such that a p (a) = Ik and either (a) a < $k+i(p) 
or (b) k = fi. From the assumption we have Ik < Ij and 7^ Ij. From this 
we conclude: (c) k ^ (i excluding (b); (d) Ik+i < Ij- From (d) by Definition [2] 
k + 1 < j. This implies by Definition [TJ $k+i(p) < $j(p)- From this and (a) we 
conclude that a < #j(p). □ 

Proposition [3j If (p is a formula over variables x\, . . . , Xk over D, then <I>e 
is a PIA existential abstraction. 

Proof. Consider an arbitrary d G As d G ||^||_e, it satisfies the conjunct 

X\ = d\ A • • • Aaifc = dk and thus satisfies the disjunction <P, i.e. x = d \= <Pe- As 
d is chosen arbitrarily, we conclude that \\<&\\e Q G D k \ x \= <Pe}- □ 

Theorem [2j For all p G Prc, and for all CFA A, if system instance 
lnst(p, Sk(A)) = (Si,Sj,Ri,AP,\i) and system instance lnst(p, Sk a b s {A)) = 
(Sj,S^,Rj,AP,X t ), then: 

if {a, a 1 ) G Ri, then {h d v a \a),h d p at {a')) G Rj. 



Proof. Let R and R a b s be the transition relations of Sk(vl) and Sk a 6 S (A) respec- 
tively. From (a, a') G Ri and the definition of lnst(p, Sk(A)) it follows that there 
is a process index i : 1 < i < N(p) such that (a[i], o-'[i]) G R and other processes 
do not change their local states. 

Let v be a valuation of A. By the definition of Sk(^4) from (a[i], G R 
we have that CFA A has a path qi, gi, q 2 , ■ ■ ■ , Qk such that qi = qi , qk = If an d 
for every guard gj it holds that v \= gj. Moreover, for any x G U U AU r U {sv} 
it holds v{x) = a[i].x and v(x') = a'[i].x. 

We choose the same path in abst(A) and construct the valuation h^iv). 
From Theorem Q] we have that for every guard gj it holds that h dat (v) \= gj . 
Hence, the path qi,g±, Q2, • ■ ■ , Qk is a path of CFA abst(A) as well. 

By the definitions of h dat and h dat we have that for every x G II U AU r U 
{sv} it holds h dat (v){x) = h dat {a)[i].x and /i* l *(u)(a; / ) = h dat (a')[i].x. By the 
definition of Sk a b s (A) it immediately follows that (h dat (cr), h dat (a')) G i? Q 6s- 

Finally, (h dat (a), h dat (a / )) G i? afcs implies that {h dat {a), /i£ at (cr')) G i? f . □ 

Theorem [4j Lei 7r = {<7i}i>i fee a J-fair path of lnst(p, Sk(A)) . Then it = 
{hp^io-i)}^ is a J-fair path of lnst(p, Sk abs (A)). 
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Proof. By inductively applying Theorem [2] to tt we conclude that n is indeed a 
path of lnst(p,Sk a6s (A)). 

Fix an arbitrary justice constraint q € J C AP^; inhnitely many states on 7r 
are labelled with c/. Fix a state cr on n with geA/. We show that c/ G Xj(h p (a)). 
Consider two cases: 

Case 1. Proposition q has a form [Eli. where <P has free variables of two 

types: a vector of parameters x p — x\, . . . , x? n , from 77 and a vector of variables 
There is a process index i : 1 < i < 7V(p) such that er[z] |= 
<l>(i). Hence, x p = p, x\ — a\i].x\, . . . ,x v k = a[i].Xk \= From the definition 
of the existential approximation it follows that (a p (a[i].xi), . . . , a p (a[i].Xk)) € 
Thus, x\ = a p (<j[i].xi), . .. ,x% = a p (a\i].x k ) \= a E ($(i))- As for every 
Xj ■ 1 < j < fc the value /ip at (cr)[i].a;.,- is exactly ij, we arrive at hp at (a)[i] \= 
a E {${i)). Then by the construction of A; it holds that [3i. <P(i)} e Xj(hp at (a)). 

Case 2. Proposition q has a form [Vi. where <P has free variables of two 

types: a vector of parameters fn-i from 77 and a vector of variables 

V. Then for every process index i : 1 < i < 7V(p) it holds cr[i] |= 
^(i). By fixing an arbitrary i : 1 < i < N(p) and repeating exactly the same 
argument as in the Case 1, we show that h p (a)[i] (= cub (#(«)). As i is chosen 

arbitrarily, we conclude that /\ h p at {o~)[i] \= c*E{${i))- By the construction 

l<i<iV(p) 

of X } it holds that [Vi. <2>(i)] 6 A f (/^'(s)). 

From Cases 1 and 2 we conclude that g <E X j (hp at (a)) . As we chose cr to be an 
arbitrary state on n labelled with q and we know that there are infinitely many 
such states on n, we have shown that there are infinitely many states h p at (a) on 
7r labelled with q. Finally, as q was chosen to be an arbitrary justice constraint 
from J, we conclude that every justice constraint q G J appears infinitely often 
on 7T. 

This proves that tc is a fair path. □ 

Theorem [5j For all p 6 P_rc ; a ^ finite state process skeletons 5k, let 
system instance /nst(p, Sk) = (Si, Sj, Rj, AP, A/) ; and Cnt(Sk) = (Sent, >$cnt' R-Cnt, AP, Xcnt)- 
Then: 

if{o,o') e 7?,, then (7£ nt (<7), ^V)) € Rent- 

Proof. We have to show that if (c, cr') 6 7?/, then w = /j p nt (er) and w' = 
h p nt (a') satisfy <JX]> to ([TO] We first note that as (cr, cr') e 7?/, it follows from 
the (move) property of transition relations that there is a process index i such 
that (<j[i\, cr'[i]) G 7?/; we will use the existence of i in the following: 

(Qp. Abbreviating s = a[i] and s' — <r'[i], ([TJ follows. 

10) and (EJ). Follows immediately from the definition of L. 
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I0J. From the definition of h p nt it follows that u>.k[from] = a p (K(a, FROM)). 

From the existence of the index i it follows that K(a, from) > 1. Hence, we 
have K (a, from) ^ and from the definition of a p it follows that a p (K(a, from)) ^ 
0. From a p (l) = h and Dcfinition[2]of total order we conclude ©, i.e. a p (K(a 7 FROM 

and (0|). Follows immediately from the definition of h p nt . 

(0). Since TO = from, it follows from © and ^ that s ={ sv } U a s'. Thus 
the process with index i does not change its local state. Moreover from the 
property (frame) of transition relations, all processes other than i maintain 
their local state. It follows that for all £ in L, K(a,£) = K(a',£), and fur- 
ther that a p (K(a, £)) — a p (K{a' ',£)), and in particular a p (K (cr, from)) = 
a p (K(a', from)). Then (JTJ) follows from the definition of h p nt . 

(HP and (0). From the property (frame) of transition relations, all processes 
other than i maintain their local state. Since TO ^ from it follows that i changes 
it local state. It follows that 

K(a', TO) = K{a,TO) + 1, (13) 
K(a' , from) = K(a, from) - 1. (14) 

From the definition of h p nt we have 

w'.k[to] = a p (K(a', to)) and w.k[to] = a p (K(a, to)) (15) 
w'.k[from] = a p (K(a', from)) and w.k[from] = a p (K(a, from)) (16) 

From Proposition [1] follows that 

K(a', to) e 7p(u/.k[to]) and K(a, to) e j p (w.k[to]) (17) 
K(<t', from) e 7 p (w'.k[from]) and K(a, from) e 7 p (w.k[from]). (18) 

Point ([5} follows from (IT3l . (fTTj) . and the definition of existential abstrac- 
tion ctE, while ([9]) follows from (|14|) . p8|) . and the definition of existential ab- 
straction OLE- 

U0\) . From property (frame) processes other than i do not move. The move 
of process i does not change the number of processes in states other than from 
and TO. Consequently, for all local states £ different from FROM and TO it holds 
that K(a',£) = K(a,£). It follows that a p (K(a',£)) = a p (K(a,£)), and ([T0]l 
follows from the definition of h p nt . □ 

Theorem [6j For all p £ Prc, and for all finite state process skeletons Sk, 
lnst(p,Sk) ^ Cnt(Sk), with respect to AP$v- 

Proof. Due to Theorem^ it is sufficient to show that if a proposition p £ AP$v 
holds in state a of lnst(p, Sk) then it also holds in state h p nt (a). We distinguish 
the two types of propositions. 
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Ifp = [Vz. svi = Z] , then it p G A/ (a) follows from that Ai<i<jv(p) (o"[i].sn = Z). 
Thus, in global state a all processes are in a local state with sv = Z. In other 
words, no process is in a local state with sv ^ Z. It follows that each local state 
£ satisfies in a that l.sv — Z or K(a,£) — 0. From the definition of hfg 1 * and the 
definition of Ac n t this case follows. 

lip = [3i. svi = Z], then it follows fromp G A/(cr) that Vi<i<7V( P ) (o"[i].3i> = Z). 
Thus, in global state a there is a process in a local state I with sv = Z. It fol- 
lows that K(<7,£) > 0. From the definition of h p nt and the definition of Ac n t the 
theorem follows. □ 

Theorem [3 Let ir = {<Ji}i>i be a J-fair path of lnst(p, Sk a b s (A)) . Then 
7T = {hp lt {o~i)}i>i is a J-fair path of Cnt. 

Proof. By inductively applying Theorem [5] to 7r we conclude that n is indeed a 
path of Cnt. 

Fix an arbitrary justice constraint q G J C APr>; infinitely many states on 
7r are labelled with q. Fix an arbitrary state a on tt such that g 6 A;. We show 
that q G X Cnt {h c p nt {a)). 

Propositions from AP d have the form of [3i. and [Vz. where each 

<P(i) has free variables of two types: a vector of parameters x p — x\ : . . . , ac™ 

from 77 a vector of local variables a; = x\, . . . , xf, from A, and a vector of global 
variables x 9 = x\ , . . . , x 9 m from F . 

[3*. #(*)] e AcntH iff V/ (a? 4 = £, a; 9 =r w \= a E ($(i)) A w.k[£] + I ) (19) 
[V*. #(<)] G AcntH iff /\(x'=f,i 9 = r 4 o B (#(i)) V w.fc[^] = 7 ) (20) 
Consider two cases: 

Existential case \19\) . There is a process index i : 1 < i < 7V(p) such that 

Consider a local state f 6i with € =£ <r[i]. As (= oe(^(i)) it follows that 
xf = £xf , . . . , Xf, = £.x e kl x\ = w.x^, . . . , x g m = w.x-^ \= qb(<P(j)). As i is the 
index of a process with £ =l a[i], it immediately follows that K(w, £) ^ 0. From 
the definition of a it follows that for every p G Prc it holds a p (K(w,£)) / 7 . 
Thus, by the definition of h p nt we have w.k[£] ^ 7 . 

Hence, both requirements of equation (|19l) are met for € and from the property 
of disjunction we have q G Acnt(w). 

Universal case A20\). Then for every process index i : 1 < i < 7V(p) it holds 
<r[i] |= a B (<£(z)). 

By fixing an arbitrary i : 1 < i < 7V(p), choosing < £ I with £ =l w and 
by repeating exactly the same argument as in the existential case, we show that 
x[ = £.x{, . . . ,xj. = £.Xf.,xf = w.x\ , . . . , x^, — w.x g m |= otE{${i))- Thus, for 



27 



every lei such that there exists i : 1 < i < N(p) with £ =l w the disjunct for 
£ in I2TJ1 holds true. 

Consider £' G L such that for every i : 1 < i < A^(p) it holds £' It 
immediately follows that K(w,£') — 0; from the definition of a p we have that 
a p (K(w, £')) = la and thus k[£'} = Io. Then for £' the disjunct in [20l holds true 
as well. 

Thus, we conclude that the conjunction in the right-hand side of the equa- 
tion (1201) holds, which immediately results in q G Xcnt( w )- 

From Universal case and Existential Case we conclude that q G Acnt(w). As 
we chose a to be an arbitrary state on 7r labelled with q and we know that there 
are infinitely many such states on 7r, we have shown that there are infinitely 
many states h p nt (a) on tt labelled with q. Finally, as q was chosen to be an 
arbitrary justice constraint from J, we conclude that every justice constraint 
q G J appears infinitely often on tt. 

This proves that tt is a fair path. □ 
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